TR ToolRux

CSP Header Generator

Build a Content Security Policy header interactively. Configure directives, add sources, and copy the generated header string.

Generated CSP Header

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; object-src 'none'

HTML Meta Tag

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; object-src 'none'">

Configure Directives

default-src

Fallback for other directives

script-src

Valid sources for JavaScript

style-src

Valid sources for stylesheets

img-src

Valid sources for images

font-src

Valid sources for fonts

connect-src

Valid targets for fetch, XHR, WebSocket

media-src

Valid sources for audio/video

object-src

Valid sources for plugins (Flash, etc.)

frame-src

Valid sources for iframes

child-src

Valid sources for web workers and frames

worker-src

Valid sources for Worker/SharedWorker

frame-ancestors

Valid parents that can embed this page

form-action

Valid endpoints for form submissions

base-uri

Restricts the <base> element

upgrade-insecure-requests

Upgrade HTTP requests to HTTPS

Related Tools

You might also find these useful

SRI Hash Generator

Generate subresource integrity hashes.

SSL Checker

Check SSL certificate status.

Cookie Policy Generator

Generate cookie consent policy.
📖 Learn More

Everything you need to know

What is Content Security Policy?

Content Security Policy (CSP) is one of the most powerful HTTP security headers available to web developers. It tells the browser exactly which sources of content are trusted, effectively preventing cross-site scripting (XSS), clickjacking, and other code injection attacks. By defining a strict policy, you create a whitelist of allowed resources that dramatically reduces your attack surface.

How This Generator Works

Our interactive CSP builder lets you configure each directive individually. Toggle directives on or off, click common values to add them, or type custom source URLs. The generated header string and equivalent HTML meta tag update in real time. Simply copy the output and add it to your server configuration or HTML document.

Key CSP Directives Explained

The most important directives include default-src (fallback policy), script-src (JavaScript sources), style-src (CSS sources), img-src (image sources), connect-src (fetch/XHR targets), frame-ancestors (clickjacking protection), and object-src (plugin content). Start with a restrictive default-src 'none' or default-src 'self' and add specific directives as needed.

CSP Best Practices

  • Start restrictive — Begin with default-src 'self' and add exceptions
  • Avoid unsafe-inline — Use nonces or hashes for inline scripts instead
  • Use report-only first — Test with Content-Security-Policy-Report-Only before enforcing
  • Block plugins — Set object-src 'none' to prevent Flash and other plugins

Related Security Tools

Protect your external scripts with SRI Hash Generator, check your SSL configuration with the SSL Checker, or encrypt sensitive data with the Encryption Tool.